To hear the media tell the tale, being an IT or cybersecurity professional involves a constant, pitched battle against forces from the web’s seedy underbelly. There’s always some new malware making the rounds, some new exploit that’s crippling businesses or some new hacking group that’s making off with our data. All that stuff is certainly happening, of course - it’s no secret that hackers and their tools are growing more sophisticated.
But at the end of the day, that’s not the biggest problem facing cybersecurity teams. It’s the fact that people are careless. Not just in their browsing habits, but in the day-to-day maintenance of their applications and platforms.
That’s the challenge facing the WordPress Security Team. As the most popular Content Management System on the web, WordPress is no stranger to being a target - and you’ve probably read about such attacks in the past. Believe it or not, WordPress itself is quite secure.
The issue is that millions of their users run outdated versions of the content management system along with older versions of both plugins and themes.
For their part, the WordPress security team has done an admirable job of trying to keep these people safe in spite of themselves. They’ve been backdating critical security patches for WordPress versions up to five years old. They’re also collaborating with the likes of Google, XWP, and a few others on a project called Tide, which will show a five-star rating under each plugin, meant to give an idea of code quality and security.
On the other hand, they’re working to eliminate older versions of WordPress altogether - for now, by gently urging users to update.
Here’s the problem with all this. If you’re still using an outdated WordPress version or you still refuse to update your plugins and themes, you will remain part of the problem. You’ll be subject to vulnerabilities that are publicly-disclosed and widely-known. And if you think hackers won’t attempt to target you with those exploits, you’re naive.
Remember that around 90% of companies hit by cyberattacks are struck by those that target vulnerabilities that are three years old or older (and a further 60% target vulnerabilities that have been around for a decade or more).
If it helps, look at it this way. Running a site with outdated software is a little like never bothering to check the locks on your doors and leaving your windows open when you’re out. Sure, there’s a chance you’ll be okay - a chance you’ll get through unscathed.
But there’s an equally-high chance you’ll end up getting robbed.
So, for the sake of WordPress’s security team, your own users, and yourself, update your software. Make sure you’re running the latest version of every plugin and theme. And don’t let yourself fall behind on updates again.